\subsection{Debuggers}
\begin{frame}
    \frametitle{What is a Debugger?}
    \begin{definition}
        A debugger is a run-time analysis tool that allows you to instrument software at the assembly level.
    \end{definition}
    \begin{itemize}
        \item Common features include:
            \begin{itemize}
                \item CPU state information
                \item Single stepping
                \item Breakpoints
                \item Memory exploration and modification
                \item Thread enumeration
                \item PE file parsing
            \end{itemize}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Unix Debuggers}
    \begin{itemize}
        \item GDB: The GNU Debugger
            \pedbullet{DDD: GUI front end}
        \item ADB
        \item Fenris, \alert{http://lcamtuf.coredump.cx/fenris}
        \item RR0D, \alert{http://rr0d.droids-corp.org}
            \pedbullet{This is actually an OS independent debugger, but there is no space on the next slide ;-)}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Microsoft Windows Debuggers}
    \begin{itemize}
        \item Microsoft WinDbg
            \pedbullet{Powerful, freeware GUI debugging tool. Excellent for kernel development / abuse and security research}
        \item SoftICE
            \pedbullet{Powerful, expensive kernel debugger}
            \pedbullet{ICE = \alert{I}n \alert{C}ircuit \alert{E}mulator}
        \item OllyDbg
            \pedbullet{Powerful, freeware GUI debugging tool. Excellent for malware analysis and security research}
        \item IDA Pro
            \pedbullet{Clunky interface and difficult to use}
        \item PyDbg
            \pedbullet{Scripted debugger, sub-component of PaiMei}
    \end{itemize}
\end{frame}


\subsection{Disassemblers / Decompilers}
\begin{frame}
    \frametitle{What is a Disassembler?}
    \begin{definition}
        A disassembler is a static-analysis tool that translates raw bytes into assembly language, essentially the inverse of an assembler.
    \end{definition}
    \begin{itemize}
        \item There are many x86 disassembler libraries
        \item All debuggers have disassembling capabilities
        \item The hardest aspect of disassembly is differentiating between code vs. data
        \item There are less options for a solid pure disassembler ...
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{DataRescue IDA Pro}
    \begin{itemize}
        \item The defacto standard in static analysis technology
        \item Supports multiple architectures
        \item Cross-platform, GUI and console
        \item Scriptable and pluggable
            \pedbullet{Lots of custom software written on this platform}
    \end{itemize}
\end{frame}

\begin{frame}[fragile]
    \frametitle{What is a Decompiler?}
    \begin{definition}
        A decompiler attempts to translate raw binary data into a higher level language than assembly. They generally fail miserably.
    \end{definition}
    \begin{itemize}
        \item \emph{"You can't get the toothpaste back in the tube"}
            \pedbullet{ie: \alert{True} decompilation is impossible}
        \item Some tools exist, for the most part they provide you with a more readable disassembly
    \end{itemize}
    \begin{uncoverenv}
        \begin{block}{}
            \begin{tiny}
            \begin{semiverbatim}
                if(*(ebp + 12) == -1)
                    eax = *( *(ebp + 8) * 4 + 0x422cc4);
                else
                    if((*(ebp + 12) & -8) != 0)
                        eax = eax | -1;
                    else
                        *(ebp - 4) = *(*(ebp + 8) * 4 + 0x422cc4);
                        ecx = *(ebp + 8);
            \end{semiverbatim}
            \end{tiny}
        \end{block}
    \end{uncoverenv}
\end{frame}

\begin{frame}
    \frametitle{Tools}
    \begin{itemize}
        \item REC
            \pedbullet{Useful (but unstable) command line tool}
            \pedbullet{We will give you a private IDA plug-in that can import REC output}
        \item REC Studio
            \pedbullet{GUI verson of REC}
            \pedbullet{Even more unstable}
        \item Desquirr
            \pedbullet{IDA plug-in}
            \pedbullet{Generates decent results but only does so in the messages window}
        \item Boomerang
            \pedbullet{Open source, worth keeping an eye on}
        \item Hex-Rays
            \pedbullet{Most recent of the tools}
            \pedbullet{IDA extension written by Ilfak of DataRescue}
    \end{itemize}
\end{frame}


\subsection{Other}
\begin{frame}
    \frametitle{Web Services}
    \begin{itemize}
        \item Virus Total (virustotal.com)
            \pedbullet{Online AV multi-scanner}
        \item Offensive Computing (offensivecomputing.net)
            \pedbullet{Malware zoo}
            \pedbullet{Over 600,000 samples}
        \item CWSandbox (cwsandbox.org)
            \pedbullet{COM, File, Mutex, Registry, Process information}
            \pedbullet{Network activity overview}
            \pedbullet{Human readable and machine parseable outputs (XML)}
        \item Anubis (anubis.iseclab.org)
            \pedbullet{Same as CW, adds PCAPs}
    \end{itemize}
\end{frame}


\include{basic_analysis/python}